A number of recent stories illustrate the possibilities and perils of 21st-century information technologies. I recently discussed Hillary Clinton’s email troubles, but there are other recent stories that continue and illustrate this trend.

There’s a hoary old saying that you learn in law school: “the law is a seamless web”. What’s meant by this is that, although you study law as a series of discrete, siloed topics, it’s all really one big thing, and all interrelated.

In April of this year, after many years of debate and drafting, the EU adopted its new General Data Protection Regulation (which I will call “the regulation” for the rest of this post). The regulation is an attempt to resolve a problem which is manifested itself for a very long time now – privacy regulation in Europe is done on a national basis, by highly independent national data privacy authorities, which means that any business in Europe that is implicated by privacy laws is dealing with 28 sets of laws. The national data privacy authorities have gone off in a great many different directions, resulting in very light regulation of data privacy issues in some places – e.g. the United Kingdom – and extraordinarily prescriptive and detailed regulation in other places such as France. The resulting hodgepodge has been a compliance nightmare for organizations for many years now, and the stated goal of the regulation is to harmonize this mass of law and make it easy for organizations to comply. The question is, does it actually do this?

https://montana-associates.com/wp-content/uploads/2013/05/johnMontana.jpg688500John Montanahttps://montana-associates.com/wp-content/uploads/2017/08/attorney-logo.pngJohn Montana2016-07-07 21:14:272016-07-07 21:20:54The EU's General Data Protection Regulation – a Sea Change, or Old Wine in a New Bottle?

The Hillary Clinton email brouhaha has in many respects taken front and center in the political arena. But leaving aside the politics of it, there are many records management and information governance aspects of the whole affair that are important and valuable to those of us in the records and information management business, regardless of our political leanings and regardless of our desired outcome. So, let’s have a look at what we can learn from the episode, and what we might do differently in our own organizations based on that learning.

Washington remains the only state that does not accord the same legal effect to electronic signatures as it does to their wet-ink versions for intrastate transactions involving government agencies. Read more

China has updated its record keeping requirements through the 2016 passage of a new accounting regulation, Administrative Measures on AccountingRecords.Some of the new retention requirements have increased retention periods significantly. Here’s a breakdown of the new regulation: Read more

I was in Africa recently, in the country of Sénégal in a little town called Guéoul. I wasn’t there on business, or more accurately, I wasn’t there on my normal business. I volunteer for a nongovernmental organization that tries to keep young girls from poor families in school.

https://montana-associates.com/wp-content/uploads/2013/05/johnMontana.jpg688500John Montanahttps://montana-associates.com/wp-content/uploads/2017/08/attorney-logo.pngJohn Montana2016-02-22 12:48:202016-05-26 02:43:19Records and Life in the Third World

In September 2015 Russia passed a new data localization law (Federal Data Localization Law No. 526-FZ). The new law requires all businesses that collect personal data on Russian citizens to “record, systematize, accumulate, store, update, change, and retrieve that information” on databases within the Russian Federation.

In November 2015, Kazakhstan passed the so-called Informatization Law, effective January 2016. This law is similar to a law recently enacted in Russia, in that both laws require that databases and record systems containing personal data about citizens of that country be maintained within the boundaries of the country.

In addition to the European Court of Justice’s rejection (and invalidation) of the 16 year-old Safe Harbor mechanism between Europe and the United States (which is discussed in more detail below), the European Commission approved a reform of its own data privacy regime (on December 15, 2015). The new regime is an attempt by the Commission to rationalize the regulation of data collection and data privacy throughout the European Union.

A couple of weeks ago, it was revealed that the Multidimensional Insurance Data Analytics System, or MIDAS, the database used by the Obamacare system, maintains its data permanently. The data in question includes a wide variety of personal information, including insurance applications, personal financial information related to qualification for federal subsidies, and Medicare eligibility information. There’s no question, being as the database itself is used purely for the purpose of conducting insurance transactions, that the data in question is related to an insurance transaction. And the data in question doesn’t just involve current enrollees, either. If you go even partway through the application process, your data is there, apparently forever.

I’m often asked a question that goes something like this: “We’ve moved our records to a cloud-based vendor. How do we implement our records retention schedule on the vendor’s system?” More often than not, this question involves personnel records and other human resources records, because there’s a big industry of outsourced HR functions, but it could be other records as well.

Many times, the answer that I have to give isn’t the one they want to hear. This is particularly true when the move has already been made.